Mainly just utilizing this to learn, working on deploying a home lab much like CptOfEvilMinions with Ansible. I am actually trying to include the Polylogx via an extension and using overrides to manage the flag files. Which when i query the flags it has everything that is required, except it is not generating the pipe as seen down below. Which the default Fleet Flag that is where it is listed, which I believe is C:\Program Files\Orbit\osquery.em . Is this correct? Or is this something that Orbit will not create from the TLS Configs?

\\.\pipe\osquery.em

hi jake, the path to that file depends on the root-dir you specify. If you don't specify it, it defaults as you mention to

C:\Program Files\Orbit\osquery.em

. Orbit does create that directory at the beginning

Thank you. I'm going to keep playing with it to figure why it's not creating.

not sure I follow, could you show me what you are running, and what you're expecting would happen?

I apologize. In the Agent_Options in the Org Config you can provide overrides such as various Flag Files. I have added an extensions.load with an extension directory. I have added the below to the Org Config.

spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
      options:
        allow_unsafe: true
        disable_distributed: false
        disable_events: false
        disable_extensions: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        enable_ntfs_event_publisher: true
        enable_powershell_events_publisher: true
        enable_windows_events_publisher: true
        enable_windows_events_subscriber: true
        extensions_autoload: \Program Files\osquery\extensions.load
        extensions_require: trailofbits_osquery_extensions,plgx_win_extension
        logger_kafka_acks: all
        logger_kafka_brokers: <plaintext://kafka.brokk.taom.dev:9092>
        logger_kafka_topic: fleettest
        logger_plugin: tls
        logger_tls_endpoint: /api/v1/osquery/log
        logger_tls_period: 10
        ntfs_event_publisher_debug: true
        pack_delimiter: /
        verbose: true

In theory when using orbit it should start those extensions. When I query all the flags, everything is in place as it should based off the options. When using Orbit, it does not launch the extensions. If you use Orbit with Flagfiles, it does not launch it. But if I use osqueryd with the exact same flagfile it launches.

Ah, you can't do

extensions_autoload

as part of the config. It must be part of the flagfile.

So would adding that to the agent options, wouldnt that add it to the flags? Cause I can launch orbit, when I pull the flags its listed as part of the flags.

This might help: https://speakerdeck.com/zwass/10-pitfalls-on-the-path-to-osquery-bliss?slide=19

Awesome thank you very much ill check this out.

We need to add support for a flagfile in Orbit. There was actually an open PR for it I'll try to copy over (https://github.com/fleetdm/orbit/pull/30)

Thank you I will check out both of those. I appreciate the help. Makes sense though, that Orbit starts with base configs instead of pulling the configs then starting. I will stop going down this rabbit hole.